Congress Tackling E-Commerce Privacy: Yeah, That’ll Help

Written by Evan Schuman
May 6th, 2010

A pair of Congressmen—one from each major political party—this week started floating proposed wording for an E-Commerce privacy law, one that is supposed to give power to the consumer. But the law would require retailers to halt using years-old customer data that is far too integrated to be extracted.

To be clear, the bill’s draft will have to get through two congressional chambers that are hardly filled with people for whom E-Commerce privacy legislation is a priority. Even if it somehow makes it through, the bill will undergo major wording changes. That all said, it’s the most concrete federal E-Commerce privacy draft we’ve seen, and it’s worth exploring if for no other reason than to make retail IT execs very afraid.

The draft bill comes to us courtesy of Rep. Rich Boucher, a Virginia Democrat who is chairman of the House subcommittee on Communications, Technology and the Internet, and Rep. Cliff Stearns, a Florida Republican.

A key provision of the proposed bill (nerdy detail: This is a draft of the legislation circulated for comment. It has yet to even be officially introduced) is to restrict information given to a retailer from being distributed to an outside business, such as a marketing firm that sends spam or junkmail.

That’s politically safe territory. But the wording is sufficiently vague to raise other concerns. For instance: “An individual has a reasonable expectation that a company will not share that person’s information with unrelated third parties,” the proposed bill says. “If a company wants to share an individual’s personally identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing.”

The problem is the bill doesn’t define “unaffiliated parties.” Presumably, that excludes payment processors. But what about mobile partners? Or firms that might access CRM databases to determine customized homepages? Or even custom comment services, which might need to identify the customer to post relevant user-selected images?

Indeed, the bill presents somewhat of a logical paradox. Its requirement that consumers be able to declare themselves off-limits for certain data retention in and of itself potentially forces a third party to need to identify each consumer to check a permissions file.

The bill, by the way, doesn’t require the deleteion of such confidential data, merely that it not be used, other than in aggregate. That stance certainly courts trouble. It’s like telling a hungry 3-year-old he’s allowed to have the candy, open the package and smell the candy, but he’s expected to not eat the candy.

The bill is trying to do what’s right, but the world of E-Commerce is a little more complicated than the bill assumes. Consider this message: “The consent requirements of this subsection shall not apply to the collection, use or disclosure of covered information for a transactional purpose or an operational purpose, but shall apply to the collection by a covered entity of covered information for marketing, advertising or selling, or any use of or disclosure of covered information to an unaffiliated party for such purposes.”

That would be fine, were it not for the fact that many operational aspects of a major E-Commerce site are indeed intertwined with marketing and certainly with selling. The entire site, by definition, is one big attempt at selling. Is site customization operational or, given that it’s trying to push certain products, is it marketing?

What about this statement: “If an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.”

This bill is, in effect, placing a retroactive requirement on retailers. Given that some of this private data might have been collected and distributed four years ago, how easy will it be to locate and remove all that retroactively forbidden fruit?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.